Hunters Versus Gatherers: the Difference Between Passive and Active Cybersecurity

Effective management of cyber threats needs not just the right tools, but the right mindset.

5 April, 2016

The RSA Conference underscored that 2016 is the year of the hunter. The keynotes were full of references to advanced detection and hunting and while many technology vendors continue to pursue the benefits of prevention, it’s become much harder to sustain interest in that approach as the most practical one.

In 2014, eSentire brought a 15-foot inflatable elephant to the RSA Conference and spoke loudly and clearly about “the elephant in the room”: you will be hacked.

Even back then, it was controversial to many. Especially those companies that spoke of next generation prevention. Firewalls and IDS systems were converging and some new, largely unproven, capabilities were being deployed in the anomaly and behavioral detection realms. But then and now most people recognize that the core problem with these technologies hasn’t changed. They don’t deal with grey very well.

The real world is grey. The real world changes rapidly, and the rules of engagement differ vastly between the good guys and the bad guys. The expression “life isn’t fair” couldn’t be more applicable for today’s CISOs. But fortunately, there is a different approach that is becoming widely accepted as the practical way to effectively deal with cybersecurity; it involves balancing prevention with active detection.

Prevention can work very effectively for the set of attacks that can be readily and accurately detected through signatures or other threat intelligence. We consider these attacks to be the background radiation of the Internet. They never go away completely, because it’s more expensive to modify the attack infrastructure than it is to just spin up a new one. Hackers know that there will always be systems that aren’t patched, either because of poor patch hygiene or because the CISO doesn’t know the asset exists. The larger the organization, the more likely it is to have this problem. So exploits and malware for days long past still bounce around the Internet. A well managed anti-malware system and a next generation firewall should do an effective job of preventing these attacks. Assuming they are kept up to date.

But the reality is, there is so much malware that it’s impossible for everyone to catch everything. This is why we commonly see a different vendor at the gateway from the vendor at the messaging server, and a different one on the endpoint.

It’s feasible to block a lot of yesterday’s attacks using these approaches, but they’re completely ineffective when dealing with the new attack. And if you recognize the barrier of entry for a hacker is extremely low, you’ll see why the hacker will always have first mover advantage over the guy trying to stop him.

The hacker has time and complexity on his side. He can evaluate the target and the technologies deployed within it. He can experiment in his own lab and even on your infrastructure. He isn’t encumbered by the same legal and moral issues that govern civil society. He is a criminal.

The practical approach to detecting these new attacks requires something that is now called “hunting”. We used to call it “threat management”, but “hunting” is a lot more exciting. And I think it’s a very appropriate term for the activities every analyst in our Security Operations Center initiates every day.

If we think of the enlightened approach as “hunting”, then the old, less effective approach could be considered “gathering”. A cybersecurity gatherer effectively lives off whatever is nearby. Gathering isn’t a particularly skillful activity. It’s passive and highly tactical. The gatherer lives primarily off of log and windows event data. It can be considered subsistence living, because in order to detect and investigate a threat, you require a very different and specialized set of tools and skills.

The hunter, on the other hand, doesn’t rely on historic knowledge of a threat. The hunter has learned through experience that the best way to find the threat is to play a more strategic game. The hunter deploys specialized tools and techniques to find, and ultimately kill his prey. In the cybersecurity world, the hunter utilizes technologies that provide broad visibility into the field of play. He doesn’t rely only on spotters with limited knowledge of what they’re looking for. He is looking for things that may never have been seen before. And this requires some powerful technology to help do the heavy lifting. Detecting with great accuracy and consistency anomalies is an extremely difficult technological challenge. The human mind is much more effective at quickly quantifying an anomaly, and given the right tools, can quickly investigate and make a determination on the threat.

Our mission at eSentire has always been about threat detection. We’ve been delivering a continuous hunting service called Active Threat Protection™ for nearly a decade. It’s very difficult to actively hunt for threats in real-time using disparate technologies and consoles. That’s why we continue to invest heavily in R&D to support a SOC Infrastructure that consumes threat intel, logs and events as well as the signals generated from our Network InterceptorTM sensors. Our sensors are the early warning system, and provide our SOC with an unmatched powerful forensics capability that arms our hunters with the precise and sharp tools necessary to respond quickly to today’s every moving threats. The visibility our SOC has is broad and deep. It goes down to the packet level, and the ability to securely archive traffic gives our SOC the ability to go back in time to investigate potential threats.

The hunter is a useful analogy when talking about effective management of cyber threats. But it’s important to understand that there’s more to being a hunter than just saying it. The capabilities and tools available to a real cyber hunter are easy to contrast against those relying on a SIEM. Those are cyber gatherers. And they usually starve or get eaten by a tiger.